b'Audit Report No. D-2011-020             November 29, 2010\n\n\n\n\n     DOD Controls Over Information Placed on Publicly\n      Accessible Web Sites Require Better Execution\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nAFIS                          American Forces Information Service\nDEPSECDEF                     Deputy Secretary of Defense\nFOUO                          For Official Use Only\nIOSS                          Interagency Operations Security Support\nJWRAC                         Joint Web Risk Assessment Cell\nOPSEC                         Operations Security\nPII                           Personally Identifiable Information\n\x0c                                     INSPECTOR GENERAL\n                                     DEPARTMENT OF DEFENSE\n                                       400 ARMY NAVY DRIVE\n                                  ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                              November 29,2010\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                 AND INFORMATION INTEGRATION/DOD CHIEF\n                 INFORMATION OFFICER\n               ASSISTANT SECRETARY OF DEFENSE FOR PUBLIC AFFAIRS\n              ASSISTANT SECRETARY OF THE AIR FORCE FOR\n                 FINANCIAL MANAGEMENT AND COMPTROLLER\n\nSUBJECT: DOD Controls Over Information Placed on Publicly Accessible Web Sites Require\n         Better Execution (Report No. D-2011-020)\n\nWe are providing this report for your review and comment. We considered management\ncomments on a draft of this report when preparing the final report. When sensitive information\non DOD publicly accessible Web sites is retrieved by adversaries, it places DOD personnel and\nmissions at risk. We evaluated management of 436 public Web sites for their compliance with\nmandatory content and approval procedures and training requirements. We determined that\nDOD Web site administrators are not properly managing their Web sites.\n\nDOD Directive 7650.3 requires that all recommendations be resolved promptly. Comments from\nthe Assistant Secretary of Defense for Networks and Information Integration/DOD Chief\nInformation Officer, the Assistant Secretary of Defense for Public Affairs, Air Force Director\nNetwork Services Office of Information Dominance and Chief Information Officer, and the Vice\nDirector Defense Information Systems Agency were generally responsive. As a result of\nmanagement comments and suggestions on the draft report, we revised Recommendation A,2 to\nbetter align with the impending Instruction. We request that the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD ChiefInformation Officer provide additional\ncomments on the final repOlt by December 22,2010. See Recommendations Table on page ii of\nthis report.\n\nIf possible, send a .pdf file containing management comments to audros@dodig.mil. Copies of\nmanagement comments must have the actual signature of the authorizing official. We are unable\nto accept the ISigned/ symbol in place of the actual signature. If you arrange to send classified\ncomments electronically, you must send them over the SECRET Internet Protocol Router\nNetwork (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 604-8866 (DSN 664-8866).\n\n\n                                           (j}u:."~~:Je\'"jJjvf,A?5\'\n                                               lf   Ii   \xe2\x80\xa2"  .   /V\n\n\n                                            Alice F. Carey\n                                            Assistant Inspector General\n                                            Readiness, Operations, and SUppOlt\n\x0c\x0c   Report No. D-2011-020 (Project No. D2009-D000LB-0147.000)                     November 29, 2010\n\n\n                  Results in Brief: DOD Controls Over\n                  Information Placed on Publicly Accessible\n                  Web Sites Require Better Execution\nWhat We Did                                                 What We Recommend\nWe performed the audit in response to a September 25,       Among other recommendations, we recommend the\n2008, request by the then Deputy Secretary of Defense       Assistant Secretary of Defense for Public Affairs\nfor the DOD OIG to address concerns that sensitive          [ASD (PA)] within 120 days develop and maintain a\ninformation continues to be found on DOD public Web         DOD inventory of all publicly accessible Web sites.\nsites. We evaluated the management of 436 public            We recommend the Assistant Secretary of Defense\nWeb sites for their compliance with mandatory content       for Networks and Information Integration/DOD\nand approval procedures and training requirements. We       Chief Information Officer [ASD (NII)/DOD CIO]\nalso reviewed 3,211 DOD-identified Web sites for            within 120 days:\npublic accessibility.\n                                                            \xe2\x80\xa2 Require heads of DOD Components to certify\nWhat We Found                                                   annually that a documented Web review and\nDOD did not execute enforcement actions for                     approval process has been developed and\nnoncompliance with Web site policies and                        implemented.\nprocedures, and Components did not fully                    \xe2\x80\xa2 Require all Web administrators to receive the\ndisseminate required policies and procedures                    proper Web operations security training.\ngoverning publicly accessible Web sites. As a result,       \xe2\x80\xa2 Require Military Services to maintain an\nsensitive information continues to be posted to DOD             integrated registration system within the DOD\xe2\x80\x99s\npublic Web sites, putting DOD missions and                      central registration system.\npersonnel at risk. We found:\n\xe2\x80\xa2 43 of 73 DOD organizations failed to respond to\n                                                            Management Comments and Our\n    the Deputy Secretary of Defense requirement to          Response\n    certify their Web sites.                                Comments from the ASD (NII)/DOD CIO, ASD\n\xe2\x80\xa2 Web site administrators for 207 out of 436 public         (PA), Air Force Director Networks Services Office,\n    Web sites of DOD Components failed to                   and Vice Director, Defense Information Systems\n    implement proper content review and approval            Agency (DISA) generally agreed with and responded\n    procedures.                                             to our recommendations. However, the ASD\n\xe2\x80\xa2 452 of 470 DOD Web site administrators                    (NII)/DOD CIO\xe2\x80\x99s comment was only partially\n    reviewed did not receive the required Web               responsive to Recommendation A.2. We partially\n    operations security training.                           agreed with the ASD (NII)/DOD CIO and revised\n                                                            Recommendation A.2 to better align with the\nDOD is not maintaining a Department-wide                    impending Instruction. We request that the ASD\ninventory of all its public Web sites as required by        (NII)/DOD CIO provide additional comments on\nlaw. DOD stopped funding and discontinued its               Recommendation A.2. We request management\ncentral Web site inventory system in 2006. A total\n                                                            provide comments by December 22, 2010. Please\nof 791 Web sites identified by DOD in their\n                                                            see the recommendations table on the back of this\ninventories as publicly accessible were actually\n                                                            page.\npassword-protected or nonexistent. Furthermore,\nindividual organizations are not maintaining accurate\ninventories of Web sites and cannot ensure that all\ninformation posted on public Web sites has received\nproper review.\n                                                        i\n\x0cReport No. D-2011-020 (Project No. D2009-D000LB-0147.000)             November 29, 2010\n\n\nRecommendations Table\n\nManagement                       Recommendations               No Additional Comments\n                                 Requiring Comment             Required\nAssistant Secretary of Defense   A.2.a, A.2.b, A.2.c, A.2.d,   A.1, A.3, B.2.a, B.2.b,\nfor Networks and Information     A.2.e ,                       B.2.c, B.2.d\nIntegration/DOD Chief\nInformation Officer\n\nAssistant Secretary of Defense                                 B.1\nfor Public Affairs\n\nSecretary of the Air Force                                     A.5\nDirector, Joint Web Risk                                       A.4\nAssessment Cell\n\nPlease provide comments by December 22, 2010.\n\n\n\n\n                                          ii\n\x0cTable of Contents\nResults in Brief                                                                   i\n\nIntroduction                                                                       1\n       Objectives                                                                  1\n       Background                                                                  1\n       Review of Internal Controls                                                 2\nFinding A. Weaknesses in DOD\xe2\x80\x99s Web Site Review and Approval Process                3\n       DOD Organizations\xe2\x80\x99 Certification of Publicly Accessible Web Sites Needs\n          Improvement                                                              4\n       Inconsistent Web Site Content Review and Approval Process                   5\n       Web Site Administrators Lack Web Operations Security Training               8\n       Availability of Operations Security Training Courses                       10\n       Management Oversight                                                       10\n       Web Risk Assessment Cell Continues to Find Sensitive Information on DOD\n          Publicly Accessible Web Sites                                           10\n       Management Comments on the Finding and Our Response                        11\n       Recommendations, Management Comments, and Our Response                     12\nFinding B. DOD Lacks a Complete Inventory for Publicly Accessible Web Sites       15\n       DOD Did Not Maintain a Central Web Site Inventory of All Publicly\n          Accessible Web Sites                                                    16\n       Inventories of DOD Organizations\xe2\x80\x99 Public Web Sites                         16\n       Management Actions                                                         19\n       Recommendations, Management Comments, and Our Response                     20\nAppendices\n       A. Scope and Methodology                                                   23\n       B. Public Web Site Certification Compliance                                26\n       C. Interagency Operations Security Support Staff FY 2010 Training\n             Schedule for Courses OPSE-1500 and OPSE-3500                         32\n       D. Management Comments on the Finding and Our Response                     33\n       E. Criteria for DOD Web Site Inventory                                     36\n       F. Deputy Secretary of Defense Memorandum for Office of the\n              Inspector General                                                   38\nManagement Comments\n       Assistant Secretary of Defense for Networks and Information Integration/\n          DOD Chief Information Officer                                           39\n       Assistant Secretary of Defense for Public Affairs                          43\n       Secretary of the Air Force                                                 45\n       Defense Information Systems Agency (Joint Web Risk Assessment Cell)        47\n\x0c\x0cIntroduction\nObjectives\nIn a September 25, 2008, memorandum to the DOD Office of the Inspector General, the\nthen Deputy Secretary of Defense (DEPSECDEF), outlined his concerns that, \xe2\x80\x9csensitive\ninformation frequently can still be found on publicly accessible Web sites.\xe2\x80\x9d To address\nthese concerns, the then DEPSECDEF requested the Inspector General to include this\nmatter when executing his oversight responsibility.\n\nAs a result, the DOD Office of the Inspector General announced an audit of controls over\ninformation contained on DOD publicly accessible Web sites. The overall objective was\nto determine whether DOD Components are in compliance with Web site security policy.\nSpecifically, we determined whether DOD Components have controls and processes in\nplace to ensure review and approval of all information posted to publicly accessible Web\nsites before posting. We also determined whether personnel responsible for review of\ninformation for Web posting have received Web operations security (OPSEC) training.\nSee Appendix A for a discussion of the scope and methodology and prior audit coverage.\n\nBackground\nDOD publicly accessible Web sites are unrestricted by password or public key\ninfrastructure user authorization and can be accessed directly from the Internet by\nmembers of the public. Due to extensive use of Web archiving tools, once information is\nposted to publicly accessible Web sites, it is captured and distributed throughout the\nWorld Wide Web. Preventing the disclosure of sensitive information requires proper\nreview of that information prior to posting.\n\nOn January 14, 2003, the then Secretary of Defense issued a memorandum to DOD\nComponents concerning discrepancies in Web site OPSEC. The memorandum directed\nheads of DOD Components to ensure Web site owners take responsibility for all content\nposted to their organizations\xe2\x80\x99 Web sites. It directed Web site owners to redouble their\nefforts to ensure that only the information necessary to accomplish their missions be\nposted to publicly accessible Web sites. This is especially critical in light of the Al\nQaeda training manual recovered in Afghanistan that, when translated, states, \xe2\x80\x9cUsing\npublic sources openly and without resorting to illegal means, it is possible to gather at\nleast 80 percent of information about the enemy.\xe2\x80\x9d\n\nJoint Web Risk Assessment Cell\nThe Joint Web Risk Assessment Cell (JWRAC), a DEPSECDEF-chartered cell within the\nDefense Information Systems Agency, is responsible for conducting OPSEC assessments\nand trend analyses of content and data on DOD publicly accessible Web sites. JWRAC\nreviews Web sites for compliance with existing DOD Web policy and directs remediation\nactions to bring Web sites into compliance. The JWRAC performs analyses of the data to\ndetermine any existing OPSEC risks that may pose an immediate or potential threat to\n\n\n\n                                            1\n\x0cwarfighters. According to officials, JWRAC conducts analyses of organization Web sites\non an annual schedule and by request from DOD organizations.\n\nReview of Internal Controls\nWe determined that internal control weaknesses existed in DOD as defined by DOD\nInstruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006. DOD Components lacked processes for ensuring:\n\n    \xe2\x80\xa2   administrators of DOD public Web sites implement proper content review\n        procedures;\n    \xe2\x80\xa2   administrators of public Web Site 1 receive the required Web OPSEC training; and\n    \xe2\x80\xa2   an accurate inventory of DOD publicly accessible Web sites as required by public\n        law, the Office of Management and Budget, and DOD policy.\n\nTherefore, DOD does not have reasonable assurance that all DOD Components are\nimplementing controls for the review and approval of content prior to posting to DOD\npublicly accessible Web sites. Also, DOD did not ensure Components were preventing\nthe posting of sensitive and/or Personally Identifiable Information (PII) on DOD publicly\naccessible Web sites.\n\nWe also determined that some Army activities failed to include the management of Army\npublicly accessible Web sites as a part of their internal control reviews. We further\ndetermined that internal control guidance in the Navy, Air Force, and Marine Corps did\nnot mandate review of each Service\xe2\x80\x99s public Web sites. Implementing the\nrecommendations in this report will correct DOD organizations\xe2\x80\x99 failure to properly\nreview and approve information placed on publicly accessible Web sites and correct the\nsite registration deficiencies for DOD Services, agencies, and combatant commands. We\nwill provide a copy of the report to the senior officials responsible for internal controls at\nthe Army, Navy, Air Force, Marine Corps, and DOD agencies and other offices listed in\nAppendix A.\n\n\n\n\n1\n DOD Web site administrators include: OPSEC managers, Web Managers, webmasters, public affairs\nspecialists, and anyone who reviews information prior to posting on publicly accessible Web sites.\n\n\n                                                  2\n\x0cFinding A. Weaknesses in DOD\xe2\x80\x99s Web Site\nReview and Approval Process\nMany DOD organizations did not comply with DOD Web Site policy and procedures for\npublicly accessible Web site content review and approval. Specifically:\n   \xe2\x80\xa2 Of 73 DOD organizations identified, 43 (59 percent) did not certify, as required,\n       that they have mandatory content review and approval procedures in place for\n       information posted to publicly accessible Web sites.\n   \xe2\x80\xa2 Of 436 publicly accessible Web sites reviewed, 207 (47 percent) did not have\n       documented review and approval procedures, or existing procedures did not fully\n       comply with requirements.\n   \xe2\x80\xa2 Of 470 Web site administrators reviewed, 452 (96 percent) had not received\n       required OPSEC training.\n\nThis occurred because DOD organizations did not execute enforcement actions for\nnoncompliance with Web site policies and procedures, and Components did not fully\ndisseminate required policies and procedures governing publicly accessible Web sites.\nAs a result, DOD cannot ensure that all information posted to DOD publicly accessible\nWeb sites has been properly reviewed and approved. In fact, over the past 3 years,\nDOD\xe2\x80\x99s JWRAC has identified For Official Use Only (FOUO) information, PII, and\nlimited-distribution information posted on DOD publicly accessible Web sites. Improper\npostings increase the risk of potentially harmful disclosure of information related to DOD\npersonnel and missions.\n\nCriteria for Web Site Administration\nDOD\xe2\x80\x99s \xe2\x80\x9cWeb Site Administration Policies and Procedures,\xe2\x80\x9d November 25, 1998, updated\nJanuary 11, 2002 (Web site administrative guidance), prescribes the process for content\nreview and approval of information to be placed on DOD publicly accessible Web sites.\nThis guidance requires heads of DOD Components and other organizations to establish a\ncontent review and approval process for all information prior to posting on publicly\naccessible Web sites.\n\nDEPSECDEF Memorandum, \xe2\x80\x9cDOD Web Site Security Policy Compliance,\xe2\x80\x9d\nSeptember 25, 2008, states that DOD organizations must ensure information placed on\nDOD publicly accessible Web sites is compliant with the DOD Web site administrative\nguidance. Additionally, personnel trained in Web OPSEC must review information\nplaced on DOD publicly accessible Web sites for security concerns. The DEPSECDEF\nMemorandum also requires DOD organizations to either certify an established process\nfor content review and approval or submit a plan of actions and milestones for\nimplementing a content review and approval process, and to certify that individuals\ninvolved in the process have received Web OPSEC training. On August 6, 2006, the\nVice Chairman of the Joint Chiefs and the DEPSECDEF issued a joint message,\n\xe2\x80\x9cInformation Security/Web Sites Alert,\xe2\x80\x9d that required all command OPSEC managers,\n\n\n\n\n                                            3\n\x0c                              webmasters, and public affairs specialists who review information for Web posting to\n                              receive Web OPSEC training.\n\n                              The Under Secretary of Defense for Intelligence is responsible for overseeing the DOD\n                              OPSEC program. OPSEC reviews are central to identifying and safeguarding critical\n                              information. Therefore, critical information available on publicly accessible Web sites is\n                              an OPSEC concern. Duties of OPSEC managers are consistent with Web site\n                              administrator responsibilities, which include identifying and protecting unclassified\n                              information that may individually or in the aggregate lead to compromise of classified\n                              information and sensitive activities.\n\n                              DOD Organizations\xe2\x80\x99 Certification of Publicly Accessible\n                              Web Sites Needs Improvement\n                              The September 25, 2008, DEPSECDEF Memorandum required DOD organizations to\n                              certify the implementation of public Web sites content review and approval procedures or\n                              provide a plan of actions and milestones. We identified 73 DOD organizations that\n                              operate DOD publicly accessible Web sites. Of the 73 organizations, 41 failed to certify\n                              or submit a plan of actions and milestones as required by the DEPSECDEF\n                              Memorandum. Of the 32 organizations that submitted a response, 10 submitted on or\n                              before the revised January 20, 2009, due date, and 22 submitted after. Nine of 22 DOD\n                              organizations submitted Web site certifications or provided a plan of actions and\n                              milestones after being contacted by the audit team. See Figure 1 below 2 and\n                              Appendix B.\n\n                                                     Figure 1. Public Web Site Certification Compliance\n                                  45\n                                                                                                                       41\nNumber of DOD Organizations\n\n\n\n\n                                  40\n\n\n                                  35\n\n\n                                  30\n\n\n                                  25                                                    22\n                                  20\n\n\n                                  15\n                                                     10\n                                  10\n\n\n                                   5\n\n\n                                   0\n                                        Submitted by Due Date 1-20-2009   Submitted After Due Date 1-20-2009   Agency Did Not Certify\n\n\n\n\n                              2\n                                  Figure 1 and Appendix B include organizations submitted prior to August 30, 2010.\n\n\n                                                                                          4\n\x0cEleven of the 32 DOD organizations submitted responses that did not contain all the\nrequired information. Some heads of DOD Components failed to certify review and\napproval procedures and training for their subordinate organizations; other heads of DOD\nComponents failed to specify to which subordinate organizations (agencies and\norganizations) the certification pertained. The remaining 21 organizations submitted\nresponses that included all the required information for review and approval, training, and\nplan of actions and milestones when necessary.\n\nPersonnel from the Office of the Assistant Secretary of Defense Networks and\nInformation Integration/DOD Chief Information Officer stated their intention is to revise\nthe DOD Web site administrative guidance and reissue it as a DOD instruction to clarify\nand provide more detailed procedures for Web site review and approval. On\nNovember 9, 2009, they provided a draft copy of the revision to the audit team. The draft\ncontains necessary Internet-based controls that should assist with preventing\ndissemination of inappropriate information over DOD Web-based applications.\n\nInconsistent Web Site Content Review and Approval\nProcess\nDOD organizations that administer publicly accessible Web sites were not adequately\nimplementing content review and approval procedures before posting information.\n                                              Specifically, 207 of 436 publicly accessible\n  These policies require organizations to     Web sites reviewed were noncompliant\n  maintain consistent processes ensuring      with the DOD Web site administrative\n       the review and approval of all         guidance and the DEPSECDEF\n       information posted to publicly         Memorandum sent to all DOD\n            accessible Web sites.             Components. (See Figure 2.) These\n                                              policies require organizations to maintain\nconsistent processes ensuring the review and approval of all information posted to\npublicly accessible Web sites. Although several organizations established local policies\nincorporating DOD Web site administrative guidance and the DEPSECDEF\nMemorandum, they did not effectively enforce compliance with the policies.\n\n\n\n\n                                            5\n\x0c                                                     Figure 2. DOD Organizations\' Compliance With Content\n                                                                  Review and Approval Policy\nNumber of Publicly Accessible Web Sites\n\n\n                                          200\n                                                                                            Noncompliant with Content Review and\n                                          180\n                                                                                            Approval Process\n                                          160\n\n                                          140                                               Compliant with Content Review and Approval\n                                                                                            Process\n                                          120\n\n                                          100\n                                                      185\n                                           80\n\n                                           60\n\n                                           40   84\n                                           20                   40                                                       32    41\n                                                                     2           37   1              14   0\n                                            0\n\n                                                 Army            Navy        Marine Corps            Air Force          Other DOD\n                                                                                                                       Organizations\n                                                                                                                          Visited\n\n\n                                  Below are the specific findings regarding management of publicly accessible Web sites\n                                  for Military Services and other DOD organizations.\n\n                                  Army Site Visit Results\n                                  We interviewed 148 Army Web administrators responsible for managing 269 Army\n                                  public Web sites and determined that Army Medical Command public Web site managers\n                                  complied with DOD Web site administrative guidance for the 185 public Web sites they\n                                  managed. Conversely, Web site managers for 84 other Army public Web sites were\n                                  noncompliant. Specifically, managers for 50 of the 84 Web sites lacked documented\n                                  review and approval procedures. Managers for the remaining 34 Web sites had content\n                                  review and approval procedures, but the procedures were inconsistent with the DOD\n                                  policy and failed to fully address:\n                                      \xe2\x80\xa2 review of sensitive information to include data labeled FOUO;\n                                      \xe2\x80\xa2 review of information in the aggregate; and\n                                      \xe2\x80\xa2 review of PII for members of deployable units.\n\n                                  Army Regulation 25-1, \xe2\x80\x9cArmy Knowledge Management and Information Technology,\xe2\x80\x9d\n                                  December 4, 2008, requires public affairs officers and other appropriate designees to\n                                  review and approve Web content before posting to the Internet for the general public and\n                                  ensure content meets requirements set forth in DOD Web site administrative guidance.\n                                  Although we found no PII on any of the Army public Web sites we reviewed, Army Web\n                                  administrators responsible for 84 Web sites did not comply with DOD and Army policies\n                                  and procedures for managing their Web sites.\n\n                                  Navy and Marine Corps Site Visit Results\n                                  Secretary of the Navy Instruction 5720.47B, \xe2\x80\x9cDepartment of the Navy Policy for Content\n                                  of Publicly Accessible World Wide Web Sites,\xe2\x80\x9d December 28, 2005, requires Navy and\n                                  Marine Corps activities to maintain publicly accessible Web sites that (1) implement and\n                                  administer a comprehensive Web site management program; (2) develop local procedures\n\n\n                                                                             6\n\x0cfor the approval of information posted on publicly accessible Web sites; and (3) ensure\nposted information meets requirements set forth in DOD Web site administrative\nguidance.\n\nNavy\nWe interviewed 75 Navy Web site managers responsible for managing 42 public Web\nsites and determined content review and approval processes for 40 public Web sites were\nnoncompliant with DOD Web site administrative guidance. The 40 public Web sites we\nreviewed had content review and approval procedures, but the procedures did not fully\naddress requirements for reviewing:\n    \xef\x82\xb7 sensitive information, to include data labeled FOUO as required by DOD policy;\n    \xef\x82\xb7 information in the aggregate; and\n    \xef\x82\xb7 PII such as family member information, date and place of birth, and duty location.\n\nWe found PII on seven Navy public Web sites. For example, one Web site contained\nindividuals\xe2\x80\x99 dates and places of birth, spouses\xe2\x80\x99 names, residences, and dependents\xe2\x80\x99\nnames. After we notified the managers of the noncompliance, they removed the PII from\nthe seven public Web sites we identified.\n\nMarine Corps\nWe interviewed 17 Marine Corps Web site managers responsible for managing 38 public\nWeb sites. The content review and approval process for Web site managers of 37 public\nWeb sites did not comply with DOD Web site administrative guidance. Thirty-seven\npublic Web sites we reviewed provided content review and approval procedures, but the\nprocedures did not fully address requirements for reviewing:\n   \xef\x82\xb7 sensitive information, to include data labeled FOUO as required by DOD policy;\n   \xef\x82\xb7 information in the aggregate; and\n   \xef\x82\xb7 PII.\n\nWe found PII on 12 Marine Corps public Web sites. For example, the Web sites\ncontained individuals\xe2\x80\x99 dates and places of birth, spouses\xe2\x80\x99 names, residences, dependents\xe2\x80\x99\nnames, and other PII. After we notified the Marine Corps public Web site managers of\nthe noncompliance, they removed PII from 11 of the 12 public Web sites. The Web\nmanager for the remaining Web site continues to evaluate the occurrence of PII on that\nWeb site.\n\nAir Force Site Visit Results\nAll 14 Air Force public Web sites we reviewed were managed and operated under the Air\nForce Public Information Management System. Air Force public Web site managers\nmust sign a memorandum of understanding to access the Air Force Public Information\nManagement System and register their public Web sites with the Air Force Public Affairs\nAgency. Only 1 of the 14 public Air Force Web sites we reviewed had established local\nplans, policies, and procedures for management of their Web sites as required by the\nmemorandum of understanding. The operating instructions for the Web site with\n\n\n\n\n                                            7\n\x0cdocumented content management procedures were outdated and failed to fully address\nDOD Policy requirements for reviewing:\n   \xe2\x80\xa2 sensitive information, to include data labeled FOUO as required by DOD policy;\n   \xe2\x80\xa2 information in the aggregate; and\n   \xe2\x80\xa2 PII.\nAlthough we found no PII on any of the 14 Air Force public Web sites, content managers\nfor the 13 public Web sites without documented local procedures provided inconsistent\napproaches to Web site content management. Web site managers stated that the same\nindividual could create, review, and approve content for public release, but some\nmanagers separated the duties. Separation of duties is a fundamental principle of various\nregulatory mandates, such as Sarbanes-Oxley and the Gramn-Leach-Biliey Act.\n\nAir Force Instruction 33-129, \xe2\x80\x9cWeb Management and Internet Use,\xe2\x80\x9d February 3, 2005,\ndefines the roles and responsibilities of personnel maintaining Air Force public Web\nsites. It designates the Secretary of the Air Force Office of Public Affairs to develop a\nreview process for posting information on publicly accessible Web sites. Further, Air\nForce Instruction 35-101, \xe2\x80\x9cPublic Affairs Policies and Procedures,\xe2\x80\x9d November 29, 2005,\nmandates a security and policy review to ensure the material proposed for public release\nthrough Web sites is accurate, contains no classified material, and does not conflict with\nestablished Air Force, DOD, or U.S. Government policy. Near the completion of our\naudit, the Air Force issued Air Force Instruction 35-107, \xe2\x80\x9cPublic Web Communications,\xe2\x80\x9d\nOctober 21, 2009, and is currently working to refine its guidance.\n\nOther DOD Organization Site Visit Results\nWe interviewed public Web site managers from 12 Defense Agencies, 5 Office of the\nSecretary of Defense offices, and 1 combatant command, which in combination, are\nresponsible for managing 73 DOD public Web sites. Of the 73 public Web sites\nreviewed, 41 were compliant, and 32 were noncompliant with DOD Web site\nadministrative guidance. Managers for 17 of the 32 Web sites lacked documented review\nand approval procedures. Web site managers for the remaining 15 Web sites provided\ncontent review and approval procedures that failed to fully address the following process\nrequirements for:\n    \xe2\x80\xa2 overall review before posting unmarked (FOUO) content;\n    \xe2\x80\xa2 clearance review;\n    \xe2\x80\xa2 review of content for sensitivity and distribution/release controls;\n    \xe2\x80\xa2 sensitivity of information in the aggregate; and\n    \xe2\x80\xa2 required training and knowledge of personnel.\n\nWeb Site Administrators Lack Web Operations Security\nTraining\nDOD organizations failed to ensure all DOD Web site administrators received the\nrequired training, and they implemented inconsistent procedures that omitted\nrequirements for Web OPSEC training. On August 6, 2006, the Vice Chairman of the\nJoint Chiefs and the Deputy Secretary of Defense issued a joint message, \xe2\x80\x9cInformation\n\n\n                                            8\n\x0cSecurity/Web Sites Alert.\xe2\x80\x9d The joint message requires all command OPSEC managers,\nwebmasters, and public affairs specialists who review information for Web posting to\nreceive Web OPSEC training. The message does not specify the frequency of the\ntraining. Web OPSEC training is critical to ensuring the identification, proper control,\nand proper posting of sensitive information to DOD public Web sites. Appropriate Web\nOPSEC training enhances the ability of content review participants to perform essential\nWeb site administration tasks and manage the information in a responsible and secure\nmanner.\n\nWe found 452 of 470 DOD public Web site administrators did not complete required\nWeb OPSEC training: broken down by Service, 147 of 148 Army, 74 of 75 Navy, 45 of\n45 Air Force, 17 of 17 Marine Corps, and 169 of 185 other DOD organizations\xe2\x80\x99 Web site\nadministrators did not meet DOD OPSEC training requirements.\n\n                                            Web site administrators responsible for\n  DOD public Web site administrators        content review and approval duties cited on-\n  stated they were unaware of the Web       the-job training and knowledge acquired\n      OPSEC training requirement.           over the years as adequate preparation for\n                                            executing the required review and approval\nprocedures. Web site administrators stated they were unaware of the Web OPSEC\ntraining requirement. Other Web site administrators pointed to the lack of available Web\nOPSEC training classes and funding shortfalls that precluded travel to obtain required\nOPSEC training. See Figure 3.\n\n\n     Figure 3: Web Operational Security Training Compliance for DOD\n                             Organizations\n                                          200\n      Number of Web Site Administrators\n\n\n\n\n                                          180                                                   169\n                                          160\n                                                147\n                                          140\n\n                                          120\n                                                                                                              Failed to Complete\n                                          100                                                                 Web OPSEC\n                                                                                                              Training\n\n                                          80              74\n                                                                                                              Completed Web\n                                                                                                              OPSEC Training\n                                          60\n                                                                   45\n                                          40\n                                                                                 17\n                                          20\n                                                      1        1        0             0               16\n                                            0\n                                                 Army     Navy     Air Force   Marine Corps    Other DOD\n                                                                                              Organizations\n                                                                                                 Visited\n\n\n\n\n                                                                    9\n\x0cAvailability of Operations Security Training Courses\nThe Interagency OPSEC Support Staff (IOSS) sponsors Web OPSEC training through both\nclassroom and e-learning courses. Since April 2007, the IOSS has offered an adjunct\nfaculty option allowing Federal organizations to certify personnel to teach Web OPSEC\ncourses at the local command level. As of December 2009, no DOD organizations had\ntaken advantage of the opportunity to certify adjunct personnel to teach Web OPSEC\ncourses at their respective DOD organizations. The IOSS reports that they have sufficient\nresources to accommodate the demand for the Web OPSEC training for all agencies.\nAppendix C provides a schedule of available Web OPSEC courses.\n\nManagement Oversight\nIncentive to Comply With DOD Policy\nUltimately, DOD Web site administrators lack the incentive to ensure the implementation\nof proper Web site management procedures and internal controls. For instance, there\nwere no penalties for noncompliance with public Web site guidance. Management took\nno action to determine if sensitive information was posted to DOD public Web sites. In\nfact, few Web site administrators were aware of the need for a documented process for\naccountability and authorization prior to posting. Most of the organizations did not\nmaintain records for tracking the posting of sensitive or personal information over the last\n5 years. If such incidents should occur, organizations can withdraw the information from\na Web site; however, Web archiving tools can still retrieve the information.\n\nDissemination of Guidance\nDOD Web administrators stated that the DEPSECDEF Memorandum was not\ndisseminated to their offices. A total of 168 Web administrators responsible for\nmanaging 116 Web sites reported that they received neither the DEPSECDEF\nMemorandum nor other Web site guidance and were unaware of the Web OPSEC\ntraining certification requirement contained in the guidance. Inadequately trained DOD\nWeb site administrators had insufficient knowledge for assessing the nature of security\nrisks associated with reviewing and approving information before posting.\n\nDOD Organization Internal Reviews\nDOD organizations failed to conduct internal reviews to ensure that DOD Web site\nadministrators were implementing content review and approval procedures as required.\nOrganizations\xe2\x80\x99 management control plans did not include controls for the review of Web\nsite content review and approval procedures. The absence of internal reviews increases\nthe potential for posting inappropriate content.\n\nWeb Risk Assessment Cell Continues to Find Sensitive\nInformation on DOD Publicly Accessible Web Sites\nDOD approved the establishment of the JWRAC on February 12, 1999. Its mission is to\nprovide analyses of Web site risk and operations security. From 2007 through 2009,\n\n\n\n                                            10\n\x0cJWRAC identified sensitive information posted to multiple DOD publicly accessible\nWeb sites. For example, improper posting of sensitive information related to 702 FOUO\ndocuments, 241 occurrences of PII including social security numbers, and 1,124 postings\nof information designated as \xe2\x80\x9cfor limited distribution.\xe2\x80\x9d\n\nAll DOD Components that have established publicly accessible Web sites are responsible\nfor ensuring that the information published on these sites does not compromise national\nsecurity or place DOD personnel at risk. DOD Component heads are required to enforce\nthe application of comprehensive risk management procedures ensuring that mission\nbenefits gained by using the Web are balanced against the potential security and privacy\nrisks created when aggregated DOD information is more readily accessible over the\nWorld Wide Web.\n\nService Web Risk Assessment Cells\nThe Army, Navy, and Marine Corps established Web risk assessment cells to conduct\nassessments of their publicly accessible Web sites, notify commands of Web site\nviolations, and ensure compliance with DOD policy requirements. The Air Force is\ndiscussing establishing a Web risk assessment cell, but has not set a firm date by which to\nmake a decision. Given the continued findings of sensitive information posted to DOD\npublic Web sites and the current inaccuracies of Services\xe2\x80\x99 Web site inventories, the Air\nForce should move forward without further delay and establish a Web risk assessment\ncell to assess risk and compliance with DOD OPSEC and privacy requirements for its\npublic Web sites.\n\nUpon establishment of a DOD central Web site registration system, personnel working in\nService Web risk assessment cells should routinely search for unregistered DOD Web\nsites. This practice would identify unregistered sites that should be blocked until they are\nregistered.\n\nConclusion\nMany DOD organizations failed to implement the proper public Web site content review\nand approval procedures for reducing the risk of posting sensitive information on DOD\npublic Web sites. DOD Web site administrators often maintained inconsistent levels of\ninformation content review, were unaware of DOD Web site policies, and received little\nor no proper training. DOD organizations failed to submit and submitted incomplete\nWeb site certifications. DOD failed to implement a followup process to verify\nComponents compliance with the Web site certification reporting requirement. Proper\nimplementation and strengthening of Web site policies will reduce the risk of posting\nsensitive information to DOD public Web sites and detrimental impacts to DOD missions\nand personnel.\n\nManagement Comments on the Finding and Our\nResponse\nPlease see Appendix D for complete management comments and audit responses on the\nfinding.\n\n\n                                            11\n\x0cRecommendations, Management Comments, and Our\nResponse\n\nRevised Recommendation\nRecommendation A.2 has been revised in response to comments from the Assistant\nSecretary of Defense for Networks and Information Integration/DOD Chief Information\nOfficer\xe2\x80\x99s and Vice Director, Defense Information Systems Agency, to better align with\nthe impending issuance of DOD Instruction 8430.aa.\n\nA.1. We recommend the Assistant Secretary of Defense for Networks and\nInformation Integration/DOD Chief Information Officer re-emphasize to all DOD\nComponents the DOD Web Site Administration Policy and Procedures\nrequirements to develop review and approval procedures for information posted to\npublicly accessible Web sites.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer agreed, stating\nthe Assistant Secretary of Defense for Networks and Information Integration/DOD Chief\nInformation Officer will, in coordination with the offices of primary responsibility for\ninformation release to the public and operations security, the Director of Administration\n& Management, and the Under Secretary of Defense for Intelligence, respectively,\nreemphasize and fully describe current review, clearance, and authorization policies and\nprocedures in the forthcoming DOD Instruction 8430.aa, "DoD Internet Services and\nInternet-Based Capabilities."\n\nOur Response\nThe Deputy Chief Information Officer\xe2\x80\x99s comments are responsive and meet the intent of\nour recommendations. No further comments are required.\n\nA.2. We recommend the Assistant Secretary of Defense for Networks and\nInformation Integration/DOD Chief Information Officer, within 120 days, develop\nand issue a DOD Instruction that requires heads of DOD Components to annually\nassess and document, with signature, DOD Internet services and use of Internet-\nbased capabilities for compliance with applicable policies and procedures to include,\nat minimum, that:\n\n       a. Documented review and approval processes are implemented for all public\nWeb sites and copies of the documentation are filed with the DOD Component\nCIOs,\n       b. All Web site administrators have received the proper Web OPSEC\ntraining,\n\n\n\n\n                                           12\n\x0c      c. All Web site administrators submit a plan of actions and milestones to the\nresponsible head of DOD Component for all public Web sites that have not\nimplemented a documented content review and approval process, and for those\npersonnel who have not received the proper Web OPSEC training;\n\n       d. Web sites and associated processes not brought into compliance with the\ninstruction are shut down or disconnected; and\n\n       e. Joint and Service Web risk assessment cells conduct routine searches for\nunregistered DOD Web sites.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, agreed with\nthe original recommendation stating that the annual policy compliance assessment and\ncorrective action will be mandated in the impending DOD Instruction 8430.aa. In\naddition, the Deputy Chief Information Officer suggested that the recommendation be\nrevised to better align with the Instruction and provide a more efficient process.\n\nOur Response\nThe Deputy Chief Information Officer\xe2\x80\x99s comments are partially responsive. Due to the\nrevisions, we revised recommendation A.2 to include suggestions from the Deputy Chief\nInformation Officer and the Vice Director, Defense Information Systems Agency. We\nrequest the Assistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer provide comments for recommendations\nA.2.a, A.2.b, A.2.c, A.2.d and A.2.e\n\nA.3. We recommend the Assistant Secretary of Defense for Networks and\nInformation Integration/DOD Chief Information Officer develop enforcement\nprocedures for noncompliance with the annual certification requirements.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, agreed. The\nforthcoming DOD Instruction 8430.aa mandates that Web sites and associated processes\ncomply with the instruction.\n\nOur Response\nThe Deputy Chief Information Officer\xe2\x80\x99s comments are partially responsive.\nManagement comments do not address the development of enforcement actions for non-\ncompliance with annual assessment requirements. However, management comments and\nsuggestions for Recommendation A.2 establish an annual Web site assessment\n\n\n\n                                          13\n\x0crequirement that, if not complied with, will result in DOD Web sites being shut down or\ndisconnected. No further comments are required.\n\nA.4. We recommend the Director Joint Web Risk Assessment Cell expand\ndistribution of its annual OPSEC and threat assessment reports on DOD public\nWeb sites to the Assistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer and the Office of the Under Secretary\nof Defense for Intelligence.\n\nDefense Information Systems Agency Comments\nThe Vice Director, Defense Information Systems Agency agreed. The Vice Director\nstated that the Joint Web Risk Assessment Cell will expand the distribution of its annual\nOPSEC and threat assessments report on DOD public Web sites to the Assistant\nSecretary of Defense for Networks and Information Integration/DOD Chief Information\nOfficer and the Office of the Under Secretary of Defense for Intelligence.\n\nOur Response\nThe Vice Director\xe2\x80\x99s comments are responsive and meet the intent of our\nrecommendations. No further comments are required.\n\nA.5. We recommend the Secretary of the Air Force within 90 days develop a process\nto review OPSEC threat and vulnerability risks for all its public Web sites.\n\nSecretary of the Air Force Comments\nThe Director of Network Services Office of Information Dominance and Chief\nInformation Officer, responding for the Secretary of the Air Force, agreed. The Director\nstated the Air Force Telecommunications Monitoring Assessment Program will be utilized to\nconduct OPSEC vulnerability assessments for release of information to the public via\nInternet-base Capabilities. Additionally, policy is being developed within AFI 10-701,\nOperations Security (OPSEC), to address the lack of Air Force directive regarding OPSEC\nreviews conducted prior to releasing information, as well as training for personnel reviewing\ninformation.\n\nOur Response\nThe Director of Network Services Office of Information Dominance and Chief\nInformation Officer\xe2\x80\x99s comments are responsive and meet the intent of our\nrecommendations. No further comments are required.\n\n\n\n\n                                             14\n\x0cFinding B. DOD Lacks a Complete Inventory\nfor Publicly Accessible Web Sites\nDOD did not comply with requirements to maintain a central Web site registration\nsystem. This occurred because, after the disestablishment of the office of primary\nresponsibility under the 2005 Base Realignment and Closure process, the responsibility to\noperate and maintain a central registration system was not reassigned. In addition,\nalthough the Military Services and other DOD organizations had Web site inventory\nsystems, the systems were not accurate or current. Without an accurate inventory system,\nDOD organizations cannot account for the proper management of all DOD\xe2\x80\x99s publicly\naccessible Web sites or reduce the risk of posting personally identifiable, FOUO, and\nother sensitive information to DOD publicly accessible Web sites.\n\nCriteria for DOD Web Site Inventory\nPublic Law 104-13, "Paper Reduction Act of 1995," Chapter 35, Section 3506 requires\neach agency to maintain a current and complete inventory of its information resources\n(including Web sites) to fulfill the requirements of the Government Information Locator\nService. Further, Section 3511 requires each agency to establish and maintain its own\ninformation locator service as a component of, and to support the operation of, the\nGovernment Information Locator Service. Public Law 107-347, 107th Congress,\n"E -Government Act of 2002," December 17, 2002, amended Public Law 104-13 to\nrequire heads of Federal agencies to prepare and maintain an inventory of information\nresources, including public Web sites.\n\nOffice of Management and Budget policy requires agencies to establish a public Web site\ninventory. Office of Management and Budget Circular A-130, "Management of Federal\nInformation Resources," states that agencies must establish and maintain inventories of\nall agency information dissemination products 3 by implementing a management system.\nAlso, Office of Management and Budget M-05-04, \xe2\x80\x9cPolicies for Federal Agency Public\nWeb Sites,\xe2\x80\x9d December 17, 2004, requires agencies to establish and maintain inventories\nfor information dissemination products, including public Web sites.\n\nDOD Web site administrative guidance requires the Assistant Secretary of Defense for\nPublic Affairs to provide and maintain a central Web site registration system. Military\nServices must establish and maintain their own registration systems and integrate their\nsystems within the DOD\xe2\x80\x99s central system. To that end, the Army, Navy, Air Force, and\nMarine Corps each have an individual policy and individual instructions requiring Web\nsite registration.\n\n\n\n\n3\n Under Office of Management and Budget Circular A-130, the term "information dissemination product"\nmeans any book, paper, map, machine-readable material, audiovisual production, or other documentary\nmaterial, regardless of physical form or characteristic, disseminated by an agency to the public.\n\n\n                                                 15\n\x0cDOD Web site administrative guidance requires the Assistant Secretary of Defense for\nNetworks and Information Integration/DOD Chief Information Officer to approve and\npublish DOD instructions to guide, direct, or help Web site activities; and coordinate\ntraining guidance for requirements addressing information security on the Web.\n\nDOD Did Not Maintain a Central Web Site Inventory of All\nPublicly Accessible Web Sites\nThe DOD did not comply with requirements to maintain an inventory of all DOD public\nWeb sites. Office of Management and Budget policies that implement the provisions of\nPublic Laws 104-13 and 107-347 require agencies to prepare and maintain an inventory\nof information resources to include publicly accessible Web sites. DOD implemented\nthese OMB policies through its DOD Web site administrative guidance.\n\nIn 1998, DOD issued the Web site administrative guidance requiring the Assistant\nSecretary of Defense for Public Affairs to establish and maintain a DOD central Web site\nregistration system. In November 2000, the American Forces Information Service\n(AFIS), under the authority of the Assistant Secretary of Defense for Public Affairs,\nreceived the responsibility to maintain the DOD central Web site registration system. In\nFY 2000, AFIS began funding the Defense Technical Information Center to operate the\nDOD central Web site registration system. In 2005, when the Defense Technical\nInformation Center needed to update and redesign the system, AFIS discontinued its\nfunding. As a result, the Defense Technical Information Center terminated the operation\nof the central Web site registration system.\n\nIn 2006, after the registration system was shut down, AFIS began a review of the Web\nsite registration system requirements with the intention of issuing a plan of action by mid-\nto late April 2006. However, AFIS never completed the review. In October 2008, AFIS\nwas disestablished under the 2005 Base Realignment and Closure process. In January\n2008, the Defense Media Activity was established under the authority of the Assistant\nSecretary of Defense for Public Affairs. AFIS functions, personnel, funding, and\nassociated resources were transferred to the Defense Media Activity. However,\nresponsibility for the requirement to operate a central Web site registration system was\nnot reassigned.\n\nInventories of DOD Organizations\xe2\x80\x99 Public Web Sites\nMilitary Services and other DOD organizations\xe2\x80\x99 Web site inventories were inaccurate\nand unreliable. Without an accurate and reliable inventory, the risk of posting personally\nidentifiable, FOUO, and other sensitive information on publicly accessible Web sites will\ncontinue to be a concern.\n\nThe Military Services and other DOD organizations (see Appendix A) provided lists\ntotaling 3,211 publicly accessible Web sites; however, after testing the list of Web sites\nfor public accessibility, we determined that 791 (25 percent) were not publicly accessible.\nSpecifically, the lists contained password-protected and non-operational Web sites.\nWhen we tested the contact information associated with the public Web sites, we found\n\n\n                                            16\n\x0cmany of the points of contact were outdated. After contacting Web site managers, we\nfound an additional 51 publicly accessible Web sites which were not included in\nComponents\xe2\x80\x99 inventory list. See Table 1.\n\n            Table 1. Number of Public Web Sites Reported and Verified\n\nDOD                   Reported In      Verified     Password-         Not Reported in\nComponent              Inventory                     Protected/      Inventory Listings\n                        Listings                       Non-\n                                                    Operational\nArmy                      1,111          791              320               20\nNavy                        710          647               63               17\nAir Force                   311          285               26                0\nMarine Corps                502          336              166               14\nOther Defense               577          361              216                0\n    Total                 3,211        2,420              791               51\n\nArmy Site Visit Results\nA September 2007 Army Audit Agency Report found that since 2005, the Army did not\nhave a central Web site registration repository for its public Web sites, even though it\nhad anticipated establishing a central Web site registration system for all Army Web sites\nby November 2007. We confirmed that the Army had not established an inventory\nsystem for public Web sites. In order to respond to the DEPSECDEF Memorandum\nissued to DOD Components on September 25, 2008, the Office of the Army Chief\nInformation Officer/G6 issued an All Army Action data call, dated December 8, 2008, for\nArmy public Web sites. The data call required Army commands and agencies to submit a\nlist of their public Web sites and Web site personnel information by February 4, 2009.\n\nWe requested a list of Army public Web sites, and on March 31, 2009, the Office of the\nArmy Chief Information Officer/G-6 provided an inventory list of 1,111 public Web sites\nthat was derived from the All Army Action data call. We tested all 1,111 Web sites for\npublic accessibility and found 320 (29 percent) that were not publicly accessible. The\ninventory listing included password-protected and non-operational Web sites. We also\ntested Web site inventory point-of-contact information and found much of it was outdated\nbecause Web site administrators did not update Web site contact information when\npersonnel changes occurred.\n\nFor the Army sites we visited, the inventory list showed 249 Web sites. During our site\nvisits, we verified that all 249 Web sites were publicly accessible. However, we found an\nadditional 20 Web sites not listed by the Army sites we visited.\n\nThe Asset and Vulnerability Tracking Resource System, designated on March 12, 2009,\nas the registration system for all Army public Web sites, was not designed to provide an\naccurate inventory of Army public Web sites. We received a Web site inventory list\n\n\n                                           17\n\x0cbased on an Asset and Vulnerability Tracking Resource system report dated\nJune 15, 2009; the system inventory report listed 1,938 public and private Web sites. We\nrequested a separate list of publicly accessible Web sites only, and were told that because\nWeb sites, both public and private, were not properly labeled when entered into the\nsystem, an accurate report listing for public Web sites only was unavailable. For the\nAsset and Vulnerability Tracking Resource System list of public Web sites to be\nintegrated with a DOD central registration system, the Army system must be able to\ndistinguish between public and all other Web sites, which it does not do.\n\nResults of Navy, Air Force, and Marine Corps Site Visits\nNavy, Air Force, and Marine Corps policies require all publicly accessible Web sites to\nbe registered in their respective registration systems. Secretary of the Navy Instruction\n5720.47B, \xe2\x80\x9cDepartment of The Navy Policy For Content of Publicly Accessible World\nWide Web Sites,\xe2\x80\x9d December 28, 2005, mandates registration of Navy Web sites in the\nNaval Web Site Registration System and Marine Corps Web sites in the Marine Corps\nWeb Site Registration Database. The Air Force Policy Memorandum \xe2\x80\x9cPublic Web Site\nRegistration,\xe2\x80\x9d May 2, 2007, requires registration of Air Force public Web sites in the Air\nForce Public Information Management System.\n\nWe tested the Navy, Air Force, and Marine Corps Web site registration system\ninventories for accuracy and currency. We requested a list of public Web sites and were\nprovided Web site inventory lists derived from each of the three Services\xe2\x80\x99 registration\nsystems:\n    \xe2\x80\xa2 For the listing of 710 Navy-provided Web sites, we found 63 sites (9 percent)\n       were not publicly accessible.\n    \xe2\x80\xa2 For the listing of 311 Air Force-provided Web sites, we found 26 sites (8 percent)\n       were not publicly accessible.\n    \xe2\x80\xa2 For the listing of 502 Marine Corps-provided Web sites, we found 166 sites (33\n       percent) were not publicly accessible.\nThe Navy, Air Force, and Marine Corps Web site lists included password-protected and\nnon-operational Web sites. Point-of-contact information was outdated because Web site\nadministrators did not update contact information when personnel changes occurred.\n\nIn addition, for the Navy sites we visited, the inventory list showed 25 Web sites. During\nour site visits, we verified that all 25 Web sites were publicly accessible, and we found an\nadditional 17 Web sites not listed on the Navy inventory. For the Marine Corps sites we\nvisited, the inventory list showed 24 Web sites. During our site visits, we verified that all\n24 Web sites were publicly accessible; however, we found an additional 14 Web sites not\nlisted on the Marine Corps inventory. One possible explanation for some of the\ninaccuracies in the Marine Corp listing may be attributed to the current effort to migrate\nall Marine Corps public Web sites to the new Web site, www.marines.mil. Internal\ncontrol guidance for the Navy, Air Force, and Marine Corps did not mandate review of\neach Service\xe2\x80\x99s public Web sites.\n\n\n\n\n                                             18\n\x0cOther DOD Organization Site Visit Results\nWe reviewed Web site registration practices and requirements for 12 DOD agencies, 5\noffices of the Office of the Secretary of Defense, and 1 combatant command. We\nrequested public Web site inventory lists from these DOD organizations which provided\nlists containing 577 Web sites. We tested all 577 Web sites for public accessibility and\ndetermined that 216 (37 percent) were not publicly accessible. The 216 Web sites\nincluded password-protected and non-operational Web sites.\n\nAlthough DOD Web site administrative guidance requires the Military Services to\nestablish and maintain a Web site registration system, the requirement does not extend to\nDOD agencies and the offices of the Secretary of Defense. However, the Web site\nregistration requirement should extend to DOD organizations such as the Defense\nLogistics Agency and the Defense Information Systems Agency which operate multiple\npublic Web sites. DOD should establish a threshold requirement for non-Service DOD\norganizations such as the Defense Information Systems Agency and Defense Logistics\nAgency to establish and maintain a public Web site registration system based on the\nnumber of public Web sites they operate. Web site administrators reported they were\nunaware of any Federal or DOD policy requiring them to register their public Web sites\noutside of their offices.\n\nManagement Actions\n                                                         According to the Defense Media\n     However, the registration application does not      Activity Director of Public Web\n    completely fulfill the requirements of public law    sites, the Defense Media Activity\n     and Federal policy to maintain a current and        established a new Web site\n   complete inventory of information dissemination       registration capability at the\n                         products.                       Defense.gov Web site in August\n                                                         2009. The activity had not\n                                                         issued a DOD-wide notification\nof the new registration capability as of August 30, 2010. Implementation of the Web site\nregistration application provides a capability for DOD Web site managers to register their\npublic Web sites. However, completion of the registration application does not\ncompletely fulfill the requirements of public law and Federal policy to maintain a current\nand complete inventory of information dissemination products. Additionally, the\napplication does not fully comply with DOD policy which requires all Service\nregistration systems to integrate with the DOD registration system.\n\nConclusion\nDOD did not maintain an agency-wide inventory of its public Web sites as required by\nlaw and DOD policy. Military Services were not maintaining Web site inventory systems\nthat reflect an accurate accounting of their publicly accessible Web sites. Twenty-five\npercent of the Web sites listed in the public Web site inventories for the Military Services\nand DOD organizations were not publicly accessible. Without an accurate inventory,\nDOD organizations cannot account for the proper management of all of its publicly\n\n\n\n                                            19\n\x0caccessible Web sites to reduce the risk of posting personally identifiable, FOUO, and\nother sensitive information to DOD publicly accessible Web sites.\n\nRecommendations, Management Comments, and Our\nResponse\nB.1. We recommend the Assistant Secretary of Defense for Public Affairs identify\nthe system that will maintain the inventory of all DOD publicly accessible Web sites\nand notify all Components of their requirements to register publicly accessible Web\nsites within 120 days.\n\nAssistant Secretary of Defense for Public Affairs Comments\nThe Deputy Assistant Secretary of Defense for Outreach and Social Media, responding\nfor the Assistant Secretary of Defense for Public Affairs, agreed. The Deputy Assistant\nSecretary of Defense for Outreach and Social Media stated that the registration\nrequirements are published in the existing \xe2\x80\x9cWeb Site Administration Policies and\nProcedures,\xe2\x80\x9d and these requirements will be reissued in the impending DOD Instruction\n8430.aa, \xe2\x80\x9cDOD Internet Services and Internet-Based Capabilities.\xe2\x80\x9d\n\nOur Response\nThe Deputy Assistant Secretary of Defense for Outreach and Social Media comments are\nresponsive and meet the intent of the recommendation. No further comments are\nrequired.\n\nB.2. We recommend the Assistant Secretary of Defense for Networks and\nInformation Integration/DOD Chief Information Officer:\n\n        a. Require all DOD organizations to register their publicly accessible Web\nsites with the re-established registration system implemented in Recommendation\nB.1.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, agreed. The\nDeputy Chief Information Officer stated the impending DOD Instruction 8430.aa will\nmandate procedures to register Internet addresses and contact information for all DOD\nInternet services, external official presence, 4 and other official uses in the registration\nand inventory system(s) hosted by Assistant Secretary of Defense for Public Affairs on\nDefense.gov.\n\n\n\n4\n External official presence is defined by draft DOD Instruction 8430.aa as official public affairs activities,\nas defined in DOD Instruction 5400.13, conducted on Internet-based capabilities (e.g., Combatant\nCommands on Facebook, Chairman of the Joint Chiefs of Staff on Twitter).\n\n\n\n                                                      20\n\x0c       b. Develop and implement policies to enforce the registration of all DOD\npublicly accessible Web sites.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, agreed. The\nimpending DOD Instruction 8430.aa mandates that Web sites be registered. Additionally\ncomments for Recommendations A.2, establishes that Web sites not brought into\ncompliance with the instruction will be shut down or disconnected.\n\n       c. Require DOD Component Chief Information Officers to maintain accurate\ninventories of publicly accessible Web sites and ensure their inventories are\nintegrated with the re-established DOD-wide public Web site registration system.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, agreed. The\nDeputy Chief Information Officer stated the impending DOD Instruction 8430.aa assigns\nDOD Component Chief Information Officers the responsibility to advise the Assistant\nSecretary of Defense for Networks and Information Integration/DOD Chief Information\nOfficer and ensure that the policies for the use of DOD Internet services and Internet-\nbased capabilities issued by Assistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer are implemented within the Component. The\ninstruction will also establish the requirement to register the Internet addresses and\ncontact information for all DOD Internet services external official presence and other\nofficial uses in the registration and inventory system(s) hosted by Assistant Secretary of\nDefense for Public Affairs on Defense.gov.\n\n       d. Establish a minimum threshold based on the number of publicly accessible\nWeb sites managed by non-Service DOD organizations requiring the organizations\nto establish and maintain an integrated Web site registration system.\n\nAssistant Secretary of Defense for Networks and Information\nIntegration/DOD Chief Information Officer Comments\nThe Deputy Chief Information Officer, responding for the Assistant Secretary of Defense\nfor Networks and Information Integration/DOD Chief Information Officer, partially\nagreed. The Assistant Secretary of Defense for Public Affairs will host and operate a\nregistration and inventory system(s) capable of serving the inventory needs of all DOD\nComponents. DOD Components may optionally operate organizational inventory\nsystems to meet their specific needs, but policy should not require the establishment of\npotentially redundant systems. The impending DOD Instruction 8430.aa has been\nmodified to require the Assistant Secretary of Defense for Public Affairs to host and\n\n\n                                           21\n\x0coperate a registration system(s) for the addresses of public DOD Web sites and external\nofficial presence that is capable of producing individual Component inventories. The\ninstruction also requires that the CIOs ensure that the Component\xe2\x80\x99s inventory of public\nWeb sites and external official presence is maintained on the registration and inventory\nsystem(s) hosted and operated by the Assistant Secretary of Defense for Public Affairs.\n\nOur Response\nThe Deputy Chief Information Officer\xe2\x80\x99s comments are responsive and meet the intent of\nrecommendations B.2.a, B.2.b., B.2.c. and B.2.d. We agree that the creation of\npotentially redundant systems should be avoided and that the implementation of a fully\nfunctional central DOD Web site inventory system is essential to serving the inventory\nneeds of all DOD Components. We confirmed that the draft DOD Instruction 8430.aa\ncontains the requirement for inventory capability and requires the Assistant Secretary of\nDefense for Public Affairs to host and operate a registration system(s) for the addresses\nof public DOD Web sites and external official presence that is capable of producing\nindividual Component inventories. No further comments are required.\n\n\n\n\n                                           22\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from February 2009 through August 2010 in\naccordance with generally accepted government auditing standards. The standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nWe evaluated the implementation of the DOD Web Site Administration Policies and\nProcedures; Deputy Secretary of Defense Memorandum; and Information Security/Web\nsite Alert. We interviewed personnel and obtained information from the Military\nServices, 12 Defense Agencies, 5 Secretary of Defense offices, and 1 Combatant\nCommand; to include the Defense Logistics Agency, Defense Information Systems\nAgency, Defense Technical Information Center, Defense Contract Audit Agency,\nDefense Threat Reduction Agency, Defense Media Activity, TRICARE Management\nActivity, Defense Finance and Accounting Service, Defense Prisoner of War/Missing\nPersonnel Office, National Geospatial-Intelligence Agency, Defense Advanced Research\nProject Agency, National Security Agency; Office of the General Counsel, Assistant\nSecretary of Defense for Public Affairs, Assistant Secretary of Defense for Network and\nInformation Integration/DOD Chief Information Officer, Under Secretary of Defense for\nAcquisitions, Technology, and Logistics, Secretary of Defense Chief Information Officer;\nand U.S. Strategic Command, and Public Affairs Officers and Web administrators with\nthe Departments of the Army, Navy, Air Force, and Marine Corps.\n\nWe non-statistically selected military installations with publicly accessible Web sites to\ndetermine compliance with DOD Web site administrative guidance. Our review included\nthe following 41 military installations selected because of a concentrated number of\npublicly accessible Web sites in a particular location.\n\n   \xe2\x80\xa2   Army Medical Department Center and School, Fort Sam Houston, Texas\n   \xe2\x80\xa2   Army Medical Command, Fort Sam Houston, Texas\n   \xe2\x80\xa2   U.S. Army Garrison, Fort Sam Houston, Texas\n   \xe2\x80\xa2   U.S. Army North, Fort Sam Houston, Texas\n   \xe2\x80\xa2   U.S. Army South, Fort Sam Houston, Texas\n   \xe2\x80\xa2   Navy Region Southwest Morale, Welfare, and Recreation, San Diego, California\n   \xe2\x80\xa2   Commander Navy Region Southwest, San Diego, California\n   \xe2\x80\xa2   Helicopter Maritime Strike Squadron Four One, Naval Air Station North Island,\n       San Diego, California\n   \xe2\x80\xa2   Helicopter Anti-Submarine Squadron Light Four Five, Naval Air Station North\n       Island, San Diego, California\n   \xe2\x80\xa2   Commander Helicopter Maritime Strike Wing, U.S. Pacific Fleet, Naval Air\n       Station North Island, San Diego, California\n   \xe2\x80\xa2   Helicopter Sea Combat Squadron Two One, Naval Air Station North Island, San\n       Diego, California\n\n\n                                           23\n\x0c   \xe2\x80\xa2   Commander, Naval Beach Group One, Naval Amphibious Base Coronado, San\n       Diego, California\n   \xe2\x80\xa2   Command, Naval Surface Forces, Naval Amphibious Base Coronado, San Diego,\n       California\n   \xe2\x80\xa2   Space and Naval Warfare Systems Command, San Diego, California\n   \xe2\x80\xa2   Commander Explosive Ordnance Disposal Group One, Naval Amphibious Base\n       Coronado, San Diego, California\n   \xe2\x80\xa2   Tactical Air Control Squadron Twelve, Naval Amphibious Base Coronado, San\n       Diego, California\n   \xe2\x80\xa2   Navy Medical Center, San Diego, California\n   \xe2\x80\xa2   Commander, Submarine Forces, U.S. Pacific Fleet, Pearl Harbor, Hawaii\n   \xe2\x80\xa2   Patrol Squadron 47, Kaneohe Bay Marine Corps Base, Kaneohe, Hawaii\n   \xe2\x80\xa2   Patrol Squadron 9, Kaneohe Bay Marine Corps Base, Kaneohe, Hawaii\n   \xe2\x80\xa2   Personnel Support Detachment Activity Pearl Harbor, Honolulu, Hawaii\n   \xe2\x80\xa2   Commander U.S. Pacific Fleet, Honolulu, Hawaii\n   \xe2\x80\xa2   Pearl Harbor Naval Shipyard, Pearl Harbor, Hawaii\n   \xe2\x80\xa2   Joint Pacific Command, Hickam Air Force Base, Hawaii\n   \xe2\x80\xa2   Mobile Diving and Salvage Unit One, Hickam Air Force Base, Hawaii\n   \xe2\x80\xa2   Commander Navy Region Hawaii Fleet and Family Readiness Group, Pearl\n       Harbor, Hawaii\n   \xe2\x80\xa2   Naval Computer and Telecommunications Area Master Station Pacific, Wahiawa,\n       Hawaii\n   \xe2\x80\xa2   Commander Navy Region Hawaii, Pearl Harbor, Hawaii\n   \xe2\x80\xa2   Air Education and Training Command/37th Training Wing, Lackland Air Force\n       Base, Texas\n   \xe2\x80\xa2   Air Education and Training Command/Wilford Hall Medical Center, Lackland\n       Air Force Base, Texas\n   \xe2\x80\xa2   Air Force Reserve Command/433rd Airlift Wing, Lackland Air Force Base, Texas\n   \xe2\x80\xa2   Air Force Security Forces Center, Lackland Air Force Base, Texas\n   \xe2\x80\xa2   Air National Guard/149th Fighter Wing, Lackland Air Force Base, Texas\n   \xe2\x80\xa2   Air Education and Training Command/12th Flying Training Wing, Randolph Air\n       Force Base, Texas\n   \xe2\x80\xa2   Air Education and Training Command/Headquarters, Randolph Air Force Base,\n       Texas\n   \xe2\x80\xa2   Air Forces Personnel Center, Randolph Air Force Base, Texas\n   \xe2\x80\xa2   First Marine Expeditionary Forces, Camp Pendleton, San Diego, California\n   \xe2\x80\xa2   Third Marine Aircraft Wing, Marine Corps Air Station Miramar, San Diego,\n       California\n   \xe2\x80\xa2   First Marine Division, Camp Pendleton, San Diego, California\n   \xe2\x80\xa2   First Marine Logistics Group, Camp Pendleton, San Diego, California\n   \xe2\x80\xa2   Marine Corps Base Hawaii , Kaneohe Bay, Hawaii\n\nUse of Computer-Processed Data\nWe did not use computer-processed data to perform this audit.\n\n\n                                          24\n\x0cPrior Coverage\nDuring the last 9 years, the Department of Defense Inspector General (DOD IG), the\nDepartment of the Army, and the Department of the Navy have issued six reports\ndiscussing Web site security policy. Unrestricted DOD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports. Unrestricted Army reports can be accessed at\nhttps://www.aaa.army.mil/. Navy reports are unavailable over the Internet.\n\nDOD IG\nDOD IG Report No. D-2002-129, \xe2\x80\x9cDOD Web Site Administration, Policies, and\nPractices,\xe2\x80\x9d July 19, 2002\n\nDOD IG Report No. D-2002-098, \xe2\x80\x9cArmy Web Site Administration, Policies, and\nPractices,\xe2\x80\x9d June 5, 2002\n\nDOD IG Report No. D-2002-062, \xe2\x80\x9cAir Force Web Site Administration, Policies, and\nPractices,\xe2\x80\x9d March 13, 2002\n\nDOD IG Report No. D-2001-130, \xe2\x80\x9cDOD Internet Practices and Policies,\xe2\x80\x9d May 31, 2001\n\nArmy\nU.S. Army Audit Agency Report No. A-2007-0206-FFI, \xe2\x80\x9cArmy Web Sites: Army Chief\nInformation Officer/G-6,\xe2\x80\x9d September 7, 2007\n\nNavy\nNaval Audit Service Report No. N2002-0034, \xe2\x80\x9cDepartment of the Navy Publicly\nAccessible Web Sites,\xe2\x80\x9d March 1, 2002\n\n\n\n\n                                          25\n\x0cAppendix B. Public Web Site Certification\nCompliance\n    DOD             Submitted       Submitted       Agency    Submitted   Certification   Certification\n  Component        Certification   Certification     Did       After IG    Contained        Missing\n                   by Due Date        After          Not      Contacted     All Data       Required\n                     1-20-09        Extended        Certify    Agency      Required          Data\n                                    Due Date\n                                     1-20-09\nDepartment of                       April 17 09                  X          POA&M\nthe Army\nDepartment of                       Jan 27 09                               POA&M\nthe Navy\nDepartment of                       Jan 29 09                                               Training\nthe Air Force                                                                               POA&M\nMarine Corps                        Jan 27 09                               POA&M\nBusiness                            Feb 17 09                                  X\nTransformation\nAgency\nDefense             Dec 23 08                                                              Review &\nAdvanced                                                                                   Approval\nResearch                                                                                   Training\nProjects Agency\nDefense Contract    Dec 04 08                                                               Training\nManagement\nAgency\nDefense             Dec 18 08                                                               Training\nCommissary\nAgency\nDefense Security                    June 23 09                   X             X\nService\nDefense Finance                                         X\nAccounting\nService\nDefense             Dec 23 08                                                               Training\nIntelligence\nAgency\nDefense             Dec 01 08                                                               Training\nInformation                                                                                 POA&M\nSystems Agency\nDefense                             Feb 25 09                               POA&M\nLogistics\nAgency\n\nDefense Security    Oct 29 08                                                  X\nCooperation\nAgency\n\n\n\n                                                   26\n\x0c    DOD            Submitted       Submitted       Agency    Submitted   Certification   Certification\n  Component       Certification   Certification     Did       After IG    Contained        Missing\n                  by Due Date        After          Not      Contacted     All Data       Required\n                    1-20-09        Extended        Certify    Agency      Required          Data\n                                   Due Date\n                                    1-20-09\nMissile Defense    Dec 24 08                                                  X\nAgency\nNational                           Jan 23 09                                               Training\nGeospatial-\nIntelligence\nAgency\nNational           Jan 20 09                                                  X\nSecurity Agency\nPentagon Force                     Mar 11 09                               Training\nProtection                                                                 POA&M\nAgency\nDefense Media                                          X\nActivity\nDefense Human                                          X\nResource\nActivity\nDefense                                                X\nManpower Data\nCenter\nOUSD Personnel                                         X\nand Readiness\nInformation\nManagement\nDefense                                                X\nDepartment\nAdvisory\nCommittee on\nWomen in the\nServices\nDefense                                                X\nPersonnel\nSecurity\nResearch Center\nEmployer                                               X\nSupport of the\nGuard and\nReserve\nFederal Voting                                         X\nAssistance\nProgram\n\nDOD Office of                                          X\nthe Actuary\n\n\n\n\n                                                  27\n\x0c    DOD             Submitted       Submitted       Agency    Submitted   Certification   Certification\n  Component        Certification   Certification     Did       After IG    Contained        Missing\n                   by Due Date        After          Not      Contacted     All Data       Required\n                     1-20-09        Extended        Certify    Agency      Required          Data\n                                    Due Date\n                                     1-20-09\nDOD Sexual                                              X\nAssault\nPrevention and\nResponse Office\nDefense Travel                                          X\nManagement\nOffice\nNational Defense                    Aug 07 09                    X          POA&M\nUniversity\nDOD Education                       Mar 18 09                                               Training\nActivity\nDOD Prisoner of                                         X\nWar/Missing\nPersonnel Office\nDefense                             April 14 09                  X             X\nTechnical\nInformation\nCenter\nDOD Test                                                X\nResources\nManagement\nCenter\nDefense                                                 X\nTechnology\nSecurity\nAdministration\nDirector of                                             X\nAdministration\n& Management\nOffice of                                               X\nEconomic\nAdjustment\nTRICARE                             Aug 13 09                    X                          Training\nManagement\nActivity/ Health\nAffairs\nWashington                          Mar 02 09                               POA&M\nHeadquarter\nService\n\nAcquisition                         Feb 18 09                               POA&M\nTechnology &\nLogistics\n\n\n\n\n                                                   28\n\x0c    DOD             Submitted       Submitted       Agency    Submitted   Certification   Certification\n  Component        Certification   Certification     Did       After IG    Contained        Missing\n                   by Due Date        After          Not      Contacted     All Data       Required\n                     1-20-09        Extended        Certify    Agency      Required          Data\n                                    Due Date\n                                     1-20-09\nDirector Defense                                        X\nResearch and\nEngineering\nUnder Secretary                                         X\nDefense\nIntelligence\nOffice Secretary    Dec 24 08                                                  X\nDefense Policy\nAssistant                                               X\nSecretary of\nDefense for\nInternational\nSecurity Affairs\nAssistant                                               X\nSecretary of\nDefense for\nAsian and\nPacific Security\nAffairs\nUSD Personnel                                           X\nand Readiness\nOSD                                                     X\nComptroller\nDefense Contract                    Jan 21 09                               POA&M\nAudit Agency\nDirector NET                                            X\nASSESSMENT\nOffice of                           Jun 17 09                    X                          Training\nGeneral Council                                                                             POA&M\nOSD Public                                              X\nAffairs\nLegislative                                             X\nAffairs\n\n\nAlternate Joint                                         X\nCommunications\nCenter Raven\nRock\nDirector of         Dec 19 08                                               POA&M\nOperation Test\nand Evaluation\n\n\n\n\n                                                   29\n\x0c    DOD           Submitted       Submitted       Agency    Submitted   Certification   Certification\n  Component      Certification   Certification     Did       After IG    Contained        Missing\n                 by Due Date         After         Not      Contacted     All Data       Required\n                   1-20-09        Extended        Certify    Agency      Required          Data\n                                  Due Date\n                                    1-20-09\nProgram                            Jan 29 09                              POA&M\nAnalysis and\nEvaluation\nCivilian                          Apr 20 09                                  X\nPersonnel\nManagement\nService\nNorth American                                        X\nAerospace\nDefense\nCommand\nAssistant                                             X\nSecretary of\nDefense for\nIntelligence\nOversight\nDefense                                               X\nBusiness Board\nJoint Staff                                           X\nNorthern                                              X\nCommand\nPacific                                               X\nCommand\nSouthern                                              X\nCommand\nCentral                                               X\nCommand\nEuropean                                              X\nCommand\nSpecial                                               X\nOperations\nCommand\n\nTransportation                                        X\nCommand\n\n\nJoint Forces                                          X\nCommand\n\n\nStrategic                          Oct 15 09                    X            X\nCommand\n\n\n\n\n                                                 30\n\x0c      DOD             Submitted       Submitted       Agency    Submitted   Certification   Certification\n    Component        Certification   Certification     Did       After IG    Contained        Missing\n                     by Due Date        After          Not      Contacted     All Data       Required\n                       1-20-09        Extended        Certify    Agency      Required          Data\n                                      Due Date\n                                       1-20-09\nAfrica Command                                            X\nDOD Office of                          Jan 8, 10                    X            X\nInspector\nGeneral\nDefense Threat                                            X5\nReduction\nAgency\nNetworks                             Nov 17, 09                     X                        Training\nInformation and\nIntegration/Chief\nInformation\nOfficer\n    Totals                10              22              41       9             21              11\n\n\n\n\n5\n    DTRA submitted a draft SOP document\n\n                                                     31\n\x0c           Appendix C. Interagency Operations\n           Security Support Staff FY 2010 Training\n           Schedule for Courses OPSE-1500 and\n           OPSE-3500\n Course Date            Course Name                 NCS Course #         Location\nOct. 20-21         OPSEC & Public Release            OPSE-1500     IOSS - Greenbelt, MD\n                         Decisions\nNov. 2-4         OPSEC & Web Risk Assessment         OPSE-3500     IOSS - Greenbelt, MD\nNov. 17-18         OPSEC & Public Release            OPSE-1500         E-Learning\n                         Decisions\nJan. 11-13       OPSEC & Web Risk Assessment         OPSE-3500     IOSS - Greenbelt, MD\nJan. 26-27          OPSEC & Public Release           OPSE-1500     IOSS - Greenbelt, MD\n                         Decisions\nFeb. 23-24          OPSEC & Public Release           OPSE-1500         E-Learning\n                         Decisions\nMar. 22-24       OPSEC & Web Risk Assessment         OPSE-3500     IOSS - Greenbelt, MD\nApr. 26-27         OPSEC & Public Release            OPSE-1500     IOSS - Greenbelt, MD\n                         Decisions\nJune 14-16       OPSEC & Web Risk Assessment         OPSE-3500     IOSS - Greenbelt, MD\nJune 22-23          OPSEC & Public Release           OPSE-1500         E-Learning\n                         Decisions\nAug. 3-4            OPSEC & Public Release           OPSE-1500     IOSS - Greenbelt, MD\n                         Decisions\nAug. 30-Sep. 1   OPSEC & Web Risk Assessment         OPSE-3500     IOSS - Greenbelt, MD\nSep. 21-22          OPSEC & Public Release           OPSE-1500         E-Learning\n                         Decisions\n\n\n\n\n                                               32\n\x0cAppendix D. Management Comments on the\nFindings and Our Response\nDefense Information Systems Agency Comments on the\nFindings\nThe Vice Director, Defense Information Systems Agency responded for the Director,\nJoint Web Risk Assessment Cell. Below are excerpts from the draft report, clarifications\nthat Defense Information Systems Agency recommended, and audit responses.\n\nItem 1 (page i, \xe2\x80\x9cWhat We Recommend\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cRequire heads of DOD Components to certify annually that a documented Web\nreview and approval process has been developed and implemented. Require all Web\nadministrators to receive the proper Web operations security training. Require Military\nServices to maintain an integrated registration system with the DOD\xe2\x80\x99s registration\nsystem.\xe2\x80\x9d\n\nManagement Comments. Add 4th recommendation bullet to read "Upon establishment\nof a DOD central Web site registration system, personnel working in Joint and Service\nWeb Risk Assessment Cells should routinely search for unregistered DOD Web sites.\nThis practice would identify unregistered sites that should be blocked until they are\nregistered."\n\nAudit Response. Our revised Recommendation A.2 includes the requirement to\nroutinely search for unregistered DOD Web Sites and disconnect Web sites that are not in\ncompliance with the forthcoming DOD Instruction 8430.aa which will require all public\nWeb sites to be registered within a DOD central Web site inventory system.\n\nItem 2 (page ii, \xe2\x80\x9cRecommendations Table\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cRecommendations Requiring Comment.\xe2\x80\x9d\n\nManagement Comments. \xe2\x80\x9cSuggest that corresponding page numbers be included in the\n\xe2\x80\x9cRecommendations Requiring Comment\xe2\x80\x9d entries located in the right-hand column of the\nRecommendations Table.\xe2\x80\x9d\n\nAudit Response. We reviewed the management comments and determined that the\nreport revisions were not required. Adding page numbers in the Recommendations Table\nis contrary to internal DOD OIG policy.\n\nItem 3 (page 1, \xe2\x80\x9cJoint Web Risk Assessment Cell\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cThe Joint Web Risk Assessment Cell (JWRAC), a DEPSECDEF-chartered cell\nwithin the Defense Information Systems Agency, is responsible for conducting analyses\nof content and data on DOD publicly accessible Web sites. JWRAC reviews Web sites\nfor compliance with existing DOD Web policy and directs remediation actions to bring\n\n                                           33\n\x0cWeb sites into compliance. JWRAC performs analyses of the aggregate data to\ndetermine any existing OPSEC risks that may pose an immediate or potential threat to\nwarfighters.\xe2\x80\x9d\n\nManagement Comments. Suggest editing lines 1 and 2 to read, "The Joint Web Risk\nAssessment Cell (JWRAC), a DEPSECDEF-chartered cell within the Defense\nInformation Systems Agency, is responsible for conducting operations security (OPSEC)\nassessments and trend analyses of content and data on DOD publicly accessible Web\nsites."\n\nAudit Response. We reviewed the management comments and determined that the\nreport revisions were required. We made the revisions as suggested.\n\nItem 4 (page 1, \xe2\x80\x9cJoint Web Risk Assessment Cell\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cJWRAC performs analyses of the aggregate data to determine any\nexisting OPSEC risks that may pose an immediate or potential threat to warfighters.\xe2\x80\x9d\n\nManagement Comments. Suggest revising lines 5 and 6 to read \xe2\x80\x9cThe JWRAC performs\nanalyses of the data to determine any existing OPSEC risks that may pose an immediate\nor potential threat to warfighters.\xe2\x80\x9d\n\nAudit Response. We reviewed the management comments and determined that the\nreport revisions were required. We made the revisions as suggested.\n\nItem 5 (page 2, \xe2\x80\x9cJoint Web Risk Assessment Cell\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cAccording to officials, JWRAC conducts analysis of organization Web sites\nprimarily by request from DOD organizations.\xe2\x80\x9d\n\nManagement Comments. Suggest revising lines 1 and 2 to read \xe2\x80\x9cAccording to officials,\nJWRAC conducts analyses of organization Web sites on an annual schedule and by\nrequest from DOD organizations.\xe2\x80\x9d\n\nAudit Response. We reviewed the management comments and determined that the\nreport revisions were required. We made the revisions as suggested.\n\nItem 6 (page 10, \xe2\x80\x9cIncentive to Comply With DOD Policy\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cManagement took no action when sensitive information was posted.\xe2\x80\x9d\n\nManagement Comments. Suggest removing sentence 2 which reads \xe2\x80\x9cManagement took\nno action when sensitive information was posted.\xe2\x80\x9d This sentence appears to contradict\nthe information located on page 7, paragraph 3 (lines 3 and 4), which states \xe2\x80\x9cAfter we\nnotified the manager of the noncompliance, they removed the PII from the seven public\nWeb sites we identified.\xe2\x80\x9d\n\nAudit Response. We reviewed the management comments and determined that the\nreport revisions were required. We revised the sentence to clarify its intent.\n\n\n                                           34\n\x0cItem 7 (page 12, \xe2\x80\x9cService Web Risk Assessment Cells\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cUpon establishment of a DOD central Web site registration system, personnel\nworking in Service Web Risk Assessment Cells should routinely search for unregistered\nDOD Web sites. This practice would identify unregistered sites that should be blocked\nuntil they are registered.\xe2\x80\x9d\n\nManagement Comments. Suggest deleting the paragraph and adding it to page i,\nparagraph 7, immediately following the 3 other recommendations and add the words\n\xe2\x80\x9cJoint\xe2\x80\x9d and \xe2\x80\x9cand\xe2\x80\x9d to the second line of the paragraph.\n\nAudit Response. Our revised Recommendation A.2 includes the requirement to\nroutinely search for unregistered DOD Web Sites and disconnect Web sites that are not in\ncompliance with the forthcoming DOD Instruction 8430.aa which will require all public\nWeb sites to be registered within a DOD central Web site inventory system.\n\nItem 9 (page 13, \xe2\x80\x9cRecommendations\xe2\x80\x9d)\nExcerpt: \xe2\x80\x9cWe recommend the Secretary of the Air Force within 90 days develop a\nprocess to review OPSEC threat and vulnerability risks for all its public Web sites.\xe2\x80\x9d\n\nManagement Comments. Edit Recommendation A.5 to read \xe2\x80\x9cWe recommend the\nSecretary of the Air Force within 90 days develop a process to review OPSEC threat and\nvulnerability risks for all its public Web sites, to include establishing an Air Force Web\nRisk Assessment Cell.\xe2\x80\x9d \xe2\x80\x9cEach military Component needs to maintain a Web risk\nassessment cell in order to perform Web OPSEC vulnerability assessments of its\nrespective Service\'s public Web sites. The Air Force is the only Service Component that\ndoes not have an operational Web risk assessment cell.\xe2\x80\x9d\n\nAudit Response. We reviewed client comments and determined that report revisions\nwere not required. Air Force provided comments to this report designating the Air Force\nTelecommunications Monitoring Assessment Program to conduct Web OPSEC\nvulnerability assessments for release of information to the public via Internet-based\ncapabilities.\n\n\n\n\n                                            35\n\x0cAppendix E. Criteria for DOD Web Site\nInventory\nPublic Law\n   \xe2\x80\xa2   Public Law 104-13, "Paper Reduction Act of 1995," Chapter 35:\n          o Section 3506 \xe2\x80\x93 Each agency shall maintain a current and complete\n              inventory of the agency\'s information resources to fulfill the requirements\n              of Section 3511.\n          o Section 3511 \xe2\x80\x93 The Director of the Office of Management and Budget\n              shall establish and maintain an electronic Government Information\n              Locator Service, which shall identify the major information systems,\n              holdings, and dissemination products (including Web sites) of each\n              agency. Further, the Law requires each agency to establish and maintain\n              its own information locator service as a component of, and to support the\n              operation of, the Government Information Locator Service.\n   \xe2\x80\xa2   Public Law 107-347, 107th Congress, "E-Government Act of 2002,"\n       December 17, 2002 \xe2\x80\x93 Each Federal agency shall develop and establish a public\n       domain directory (inventory) of public Web sites.\n\nOffice of Management and Budget\n   \xe2\x80\xa2   Office of Management and Budget Circular A-130, "Management of Federal\n       Information Resources" \xe2\x80\x93 Agencies will maintain and implement a management\n       system for all information dissemination products which must establish and\n       maintain inventories of all agency Web sites. According to the guidance, the term\n       \xe2\x80\x9cinformation dissemination product\xe2\x80\x9d means any book, paper, map, machine-\n       readable material, audiovisual production, or other documentary material,\n       regardless of physical form or characteristic, disseminated by an agency to the\n       public.\n   \xe2\x80\xa2   Office of Management and Budget M-05-04, \xe2\x80\x9cPolicies for Federal Agency Public\n       Web Sites,\xe2\x80\x9d December 17, 2004 \xe2\x80\x93 Federal agency public Web sites are\n       information dissemination products as defined in OMB Circular A-130. Agencies\n       are required, under OMB Circular A-130 and Public Law 104-13, to establish and\n       maintain inventories of information dissemination products.\n\nDOD\n\xe2\x80\x9cWeb Site Administration Policies and Procedures,\xe2\x80\x9d November 25, 1998, updated\nJanuary 11, 2002.\n   \xe2\x80\xa2 The Assistant Secretary of Defense for Public Affairs is responsible for\n       establishing and maintaining a central Web site registration system for DOD that\n       meets the requirements for the Government Information Locator Service and is\n       integrated with each Service-level registration system.\n\n\n\n\n                                           36\n\x0c\xe2\x80\xa2   The Assistant Secretary of Defense for Networks and Information\n    Integration/DOD Chief Information Officer is responsible for:\n        o providing DOD procedural guidance for establishing, operating, and\n            maintaining Web sites;\n        o developing and maintaining training guidance and requirements\n            addressing information security on the Web; and\n        o approving and publishing DOD instructions and publications to guide,\n            direct, or assist Web site activities.\n\n\xe2\x80\xa2   The Heads of the DOD Components shall register each publicly accessible Web\n    site with the Government Information Locator Service. Further, each Service will\n    establish and maintain Web site registration systems integrated with DOD\xe2\x80\x99s\n    central Web site registration system.\n\n\n\n\n                                       37\n\x0cAppendix F. Deputy Secretary of Defense\nMemo for Office of the Inspector General\n\n                               tlliPllrl SECRET\xef\xbf\xbdRY OF OEFiiNSe:\n                                      \'0\'0 og"N.\xef\xbf\xbd ....NTA<>DN\n                                    WASH,NOH,... tx: 2(00,         "" \xef\xbf\xbd\n\n\n\n\n                                                                                             SEP251M\n\n   MlJMORA.\'1DUM FOR ]NSl\'ECfOR GT;NERAL OF urn DEPA,R:1MENT\n                                  OF Dl3FENSl!\n\n\n\n           0,",\xef\xbf\xbd." \xef\xbf\xbd, \'!J.ll ffI. !III! VI"" (:M;I\'!IlIl\xef\xbf\xbd oftlH> Joint (:hlei\'ll nf .\xef\xbf\xbdlOrr ""d 1 ;","",1 .\n  j....,j \'ncss>fI" u. d.\xef\xbf\xbd IlQ(l "\xef\xbf\xbd""",",,,I, .,lwy, lhau Iv .."",,., j" r...."wi"" placed on 1)0 1)\n  publid, """"""blc w oo ,il",,, ",.ic",u:l w.-""emily 000<A:ru> " 00 11.,(publicly ...ilalol\xef\xbf\xbd\n  """,ton, ... ill ...\n                    ",onl",,,,\xef\xbf\xbd will, tl", Oot..rtJ,..",\'. "W"" ,\xef\xbf\xbdj", IIJ".j"\'",atklO, PoUob.,ld\n  f\'rucI:dI""", "dolw Nu.c-mlx:r25. EI\')8. Thot m"""\'\xef\xbf\xbd fun""",,! QIl.::.\xef\xbf\xbd\n                                                                        ., "i""\n  !)\'Nnnl\'JIli""Li""" ,m:r n," rn:c"Jin\xef\xbf\xbd L\\truO Y""""" I/m,,,,,."\', :u"i,i\\<C iw",JIl4Iioo\n  !iut"""Uy""" "     ill he ft>Ul1ll ,., l\'"hlicly oc....\n                                                      ...\n                                                          \' ibl o web ,iIC"\n\n\n          IV. <""tim., 10 lx, C(y",,,,,,j ,oolHb< I""" of.. rt.."\'-,,,," ,,, II", J)"D web","\n  =uyily polic] lIml ,..Ji. YULI I\xef\xbf\xbd iIIcl uJu thi:o ", ,,,I,,, "" """ ul\'..\xef\xbf\xbdlil\'"J\'" ;",IMll t in ,"ocoti,\'fl\n  Y"\'\'\' "Vffl; \xef\xbf\xbd\\""""i"", bilily. 0", ""i,,1 uf"""\'WI ;, 1t.. C"",.II Lao \'" (70J) (,(J4_114J\n  or !il!lW1J,lrn?Y;rd,mil.\n\n\n\n\n                                                                  38\n\x0cAssistant Secretary of Defense for Networks and\n Information Integration/DOD Chief Information\n Officer Comments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  39\n\x0c40\n\x0c       Final Report\n        Reference\n\n\n\n\n     Revised\n     Added\n     A.2.d and A.2.e\n\n\n\n\n41\n\x0cClick to add JPEG file\n\n\n\n\n               42\n\x0cAssistant Secretary of Defense for Public Affairs\nComments\n\n\n\n\n                    Click to add JPEG file\n\n\n\n\n                                   43\n\x0cClick to add JPEG file\n\n\n\n\n               44\n\x0cSecretary of the Air Force Comments\n\n\n\n\n                  Click to add JPEG file\n\n\n\n\n                                 45\n\x0cClick to add JPEG file\n\n\n\n\n               46\n\x0cDefense Information Systems Agency (Joint Web Risk\n Assessment Cell) Comments\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  47\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n                         Added\n                         Recommendation\n                         A.2.e\n                         Page 13\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               48\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n                         Page 1\n\n\n\n\n                         Revised\n                         Page 1\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               49\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n                         Page 2\n\n\n\n\n                         Revised\n                         Page 10\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               50\n\x0c                           Final Report\n                            Reference\n\n\n\n\n                         Revised\n                         Added\n                         Recommendation\n                         A.2.e\n                         Page 13\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               51\n\x0cClick to add JPEG file\n\n\n\n\n               52\n\x0c\x0c\x0c'